22 May 2020

unid 200Bd/800 FSK

Odd  and unid (to me) 200Bd/800 FSK spotted this morning on 5094.7 KHz (CF). ACF shows a transmission period of 15 bit: 111101011100101
Apparently, no relevant results after defferential decoding or descrambling tries.
Fig. 1
Fig. 2 - 15-bit pattern in the decoded bitstream
Note also in Fig. 3 the unwanted "spikes" during the manipulation when carrier (and carrier phase too in this case) change:

Fig. 3
All my TDoA Direction Finding runs point to the District of Poznan, Poland.

Fig. 3 - TDoA results

16 May 2020

yet another odd STANAG-4481F channel

May 16th update
Interesting tip from my friend cryptomaster (thanks) who pointed me the 13229 KHz (cf) fequency: also in this case it's a STANAG-4481F transmission with the characteristic of the 3-bit pattern (and obviously KW-46 encryption) but the source, however, is NAU Naval Radio Transmitter in Isabela  (PTR).

Therefore, contrary to what I had observed so far, such broadcasts do not come only from Niscemi (NSY) and Barford (AJE). Below the updated list of the successful frequencies and sites (all CF):

05120.5 NSY
06383.0 NSY
06732.0 AJE
07545.5 NSY
08145.0 NSY, AJE
08204.5 NSY
13229.0 NAU

May 9th
6732.0 KHz: another STANAG-4481F KW-46 secured channel that use the odd 3-bit pattern discussed here. This one is most likely from AJE (Barford St, John, UK) and // with 8204.5 KHz from NSY (Niscemi, Italy). 

Fig. 1
Fig. 2
Fig. 3

So far, it seems that only the transmissions from NSY and AJE exhibit the odd 3-bit pattern we are talking about. Below the current list of the successful frequencies which I observed (all CF):

5120.5 NSY
6383.0 NSY
6732.0 AJE (new update)
7545.5 NSY
8145.0 NSY, AJE
8204.5 NSY

In winter, my friend cryptomaster observed two more frequencies: 4723.9 and 5118.6 kHz (the latter probably NSY tuning freq.).

As said, it's to notice that most of the times the NSY frequencies are logged as "NSY Sigonella": well, NAVCOMTELSTA (U.S. NAVAL COMPUTER AND TELECOMMUNICATIONS STATION) Sicily, located in Naval Air Station  Sigonella, manages the Naval Radio Transmitter Facility Niscemi, housing LF/HF transmitters. Same story about AJE Barford St.John that probably is sometimes reported as Croughton, nearby (6 miles distant). 

13 May 2020

(slow) 19.5Bd/97Hz FSK, likely a Russian-Mil network

19.5Bd/97Hz (slow) FSK waveform spotted on 5331.0 KHz followed by opchat in Morse:
"RGJV de PZSF QSY 17542 K"

Source is probably some Russian-Mil network. Transmission consists of a repeated 126-bit sequence (Figs. 1,2).

Fig. 1
Fig. 2
 Interesting: a time shift of half bit is added after each sequence most likely for synch purposes (Fig. 3)

Fig. 3
A similar signal, except the 125 Hz shift, was also noted by my friend Cryptomaster:

26 April 2020

STANAG-4285 async 1200bps test transmissions from Turkey

For about a week I monitored STANAG-4285 1200bps async transmissions heard on several frequencies in the 6 MHz band according to Table I; after April 23th the transmissions have stopped (at least in the 6 MHz band and until today). About the used frequencies, I have not found any match either in the UDXF group logs database or in other resources on the web.

Table I
The transmissions take place with a cycle of about 2 minutes and 25 seconds and seem to use a kind of "call/reply" mode between two stations a,b (since the different strength of the signals); don't know who's the caller and who's the called, but I noticed different patterns depending on the monitored day, as for example in Fig. 1

Fig. 1
The use of two frequencies was also observed (Fig. 2). Obviously it is automated transmissions or controlled by software. Messages, net of 32 bits each for SOM & EOM, have the same length each day, e.g. 8832/5760 bits (caller/called); user-data are encrypted and then transmitted using the 8N1 framing (Fig. 2). Note that the Turkish S-4285 async transmissions I have met so far used the 5N1.5 framing.

Fig. 2 - (the different durations of the signals on the left depend on the waterfall rate that has been selected)

As from Table I, the STANAG-4285 submode 1200bps/L was used from April 15th to April 19th, then the submode 1200bps/S was used.

The direction finding (TDoA) results indicate an area of southern Turkey as a possible transmitter site (Fig. 3); results may be a bit incorrect since the short durations of the signals, anyway it's quite credible. Such a location, along with the transmission schedule and with the encryption algorithm, allows for some observations and comments.

Fig. 3
As seen, the contents of the messages are encrypted but the encryption algorithm does not correspond to the known ones such as KG-84/BID and KW-46/KIV-7 therefore the use of a "national algorithm" can be assumed. TÜBİTAK (Technological Research Council of Turkey) National Electronic and Cryptology Research Institute (UEKAE) developed secure communication solutions in terms of cryptographic algorithms, protocols, and architecture as well as data encryption devices such as the MİLON family (MİLON-4A was also approved by NATO) [1] [2]. It is reasonable to think that these transmissions, as well as other encrypted transmissions from Turkish Armed Forces which are reported in this blog, use such encryption systems.

Fig. 4 - some encryption devices by TUBITAK
The way these transmissions are conducted suggests that they are tests. STANAG-4285 is now a consolidated and widely used waveform and therefore the tests could concern the installation of a new HF system (maybe a MRL system?). There is also another somewhat "suggestive" hypothesis: on-field tests of a SCA-based 4285 waveform on proprietary advanced SDR transceivers. Indeed, TUBITAK UEKAE ported two different waveforms to the Spectrum's flexComm SDR-4000 for demonstration to the Turkish Ministry of Defense: an implementation of STANAG-4285 for high frequency (HF) radio links and APCO Project 25 (P25) for public safety links [3].
[1] https://www.hurriyet.com.tr/gundem/natonun-kripto-cihazlari-tubitaktan-9191151
[2] https://bilgem.tubitak.gov.tr/.../corporate_presentation_v7-2019.04.09.pdf
[3] https://pdfs.semanticscholar.org/

8 April 2020

F7B with mixed offsets mode (likely Ukr nets)

Some days ago my friend Mike (mco) sent me an interesting record about a seeming MFSK-4 signal (fig. 1) originating north of Rivne, Ukraine; such (duplex) transmissions are frequently heard on 13873.55, 15833.55, 15863.55, 16354.55, 17412.55, 17442.55 & 17469.55 KHz (Rivne TX).

Fig. 1
Actually, it's an F7B mode [1] which is actively used by Ukrainian Nets. SA program parses these transmissions as classic MFSK-4 therefore the bitstream after MFSK demodulation does not make sense. F7B is a FSK modulation technique with four modulation frequencies, the two transmission channels, termed V1 and V2, usually transfer T-207 ciphered data and are obtained through six possible combinations of the four frequencies and this leads to 6 different modes F7B-1 to F7B-6.
Hoka Code300 demodulates such transmissions using the mode "Baudot F7B" and the right offsets: since the output will always be something like garbage (contents are encrypted) will be quite difficult detect the correct mode.
This sample I think it's a  combined "free modes" in which the used offsets and speeds are: -1200 -400 +400 +1200 400Bd, -750 -250 +250 +750 250Bd, and -600 -200 +200 +600 200Bd; anyway, it's to be noticed a change of the center frequency between the first and the second mode (Figs 2,3).

Fig. 2
Fig. 3
"They use a wide range of frequencies and I've not noted all of them. This list seems ok but it certainly include Main stn freqs and also side B stations ones and some are missing. They are working full duplex with abroad stations according to multiple TDoAs. So far I've seen them using MFSK-4 with 50/100 80/160 100/200 125/250 160/320 200/400 250/500 400/800 500/1000 settings" my friend Linkz say.

Fig. 4 - TDoA Tx site (thanks to Mike)
[1] http://resources.rohde-schwarz-usa.com/c/manual-of-transmissi-2

30 March 2020

few comments on the secured 50-75Bd/850 FSK transmissions

Just to spend a bit of time during this ugly period, I thought I'd take a look at the naval BRASS systems (1) that use the 50Bd/850 and 75Bd/850 (STANAG-4481F) FSK waveforms as well as the  crypto devices that are used in those transmissions. 
A necessary introduction, to not forget, concerns the use of the terms KG-84 and KW-46: well, it does not necessarily mean that those devices are physically deployed ashore or aboard. Rather than to the equipments, these names must be understood as referring to the used "algorithms", since - unless few exceptions - many of those devices are now obsolete and no longer used. Actually, the algorithms are emulated by interoperable and more compact devices such as, for example, the KIV-7M Programmable Multi-Channel Encryptor that can be used for communicating with the older KG-84/KIV-7 family of devices. So, I talk about

- KG-84: when is detected the presence of the 64-bit frame sync
followed by the 128-bit message indicator;

- KW-46: when is is detected the presence of the Fibonacci's bits generated by the polinomyal
x^31 + x^3 +1 (KW-46T uses that M-sequences to synch the KW-46R receive devices).

Using KiwiSDRs located in various parts of the world, and with some lists of logs from UDXF friends, I spent some days browsing the HF spectrum, recording and analyzing as many 50-75Bd/850 FSK transmissions as possible (so far I have come up to 51 different FSK channels), and logging the results into a spreadsheet. By the way, I added the "false 75Bd" frequencies (see this post) to the group of the 50Bd FSK.
Beyond that the "working" list of frequencies is certainly not complete, a fact appears to emerge quite clearly: all the 50Bd/850 FSK transmissions use KW-46 encryption while all the 75Bd/850 FSK use KG-84/KIV-7 encryption!

Fig. 1
(French Navy 50Bd/850 FSK is a separate discussion: they use a 21-bit period stream consisting of frames which are delimited by two LFSR markers M1 M2 generated by the polynomials x^6+x^5+1 and x^7+x^6+1 and a logical "1" value bit; these transmissions were not considered here).

Given that KW-46 is used to secure the fleet broadcasts and KG-84 is used to secure Point-To-Point  (PTP) circuits and multi-station nets [1], it follows that 50Bd/850 FSK is used for broadcast.
For what concerns the 75Bd/850 FSK transmissions, they consist of a continuous  flow of short/long messages; thus, since by their nature  PTP and MRL (2) transmissions are sporadic  and short-lived, 75Bd/850 FSK is used for a "some type of broadcast" for those unspecified multi-station nets. In this regards, it's to notice that some stations may operate simultaneously with the two waveforms, as for example NPN Lualualei (Hawaii, US) which has been heard on 9075 KHz (75Bd) and 9112 KHz (50Bd), thus serving  two different scopes at the same time (Fig. 2).

Fig. 2
It's also to notice that different baud rates and encryption devices were used for GENSER (General Service) traffic and for CRITICOMM (operational intelligence) traffic, but that information is from old non-classified documents from 50 years ago.
I've not clear in mind what "multi-station net" stand for neither if they still refer to naval communications (it could also be that 75Bd just repeate the 50Bd broadcast). The FSK hunt continues...

(1) BRASS (Broadcast and Ship to Shore) is an approach used by Navies, particularly in NATO countries, to communicate between Ships and Shore using HF Radio. The core of a BRASS service is a continuous HF broadcast going out to multiple ships and on several frequencies (typically four or five) to allow ships to select a frequency that works.

(2) The BRASS service makes use of three types of point to point link:
- Ship to Shore. A special link that supports message flow from a ship to shore and request to re-send missing or corrupt messages. Frequency Assignment Broadcast (FAB) is used to allow ships to share a pool of HF frequencies for ship to shore communication.
- Ship to Ship: to support direct communications between ships.
- Maritime Rear Link (MRL).  A link between selected ships (usually "Command Afloat") and shore, supporting message flow in both directions.

15 March 2020

Again about the STANAG-4481F transmissions from NRTF Niscemi

(cryptomaster, I56578. KarapuZ)

STANAG-4481F on 18370 KHz from NPN US Navy, Guam
This is an update and just some remarks to a previous post post which I reference for background. All frequencies are CF (tuning + 2k).

1) the signal

Discussing the signal together, my friend cryptomaster had the suspect that a 50 bps data flow is transmitted using a device which is designed to transmit only with a speed of 75 bps: it could be correct.  The ratio 75/50 is equal to 1.5 thus each "original" bit is repeated 1.5 times. The bit editors work with an integer number of bits (they can't represent half bit) thus the 1.5 bit view is possible only by aggregating two consecutive frames and then getting an integer number of 3 consecutive bits (i.e. 1.5 x 2): thus the 3-bit structure that we see (it's the same of the async 5N1.5 framing which is represented as a 15-bit pattern, i.e. 7.5 x 2). Therefore the bits of the stream are allocated as follows:

A S-4481F transmission lasting 10 seconds produces 750 bits that can be arranged into a 3 x 250 bits pattern; by removing one column we get 2 x 250 = 500 bits that just match a 50bps transmission of the same duration (10 seconds).
But what about the M-sequence generated by the polynomial x^31+x^3+1 ? Notice that the Wagner(13,12) coding, which is used for example in STANAG-5065, replaces each second Fibonacci bit with the parity bit: well, the new Fibocaccci sequence bits (the half of the original one!) still belongs to the same polynomial x^31+x^3+1 (see this post).
Indeed, filtering out the replicated third bits from a 75bps demodulated stream from NSY Niscemi and resizing the resulting stream into a 7-bit pattern, it turns out that we get an usual KW-46 encrypted 7-bit stream (Fig. 1).

Fig. 1
In the light of the above, I analyzed again the signals in order to verify what we hypothesized and found above. I compared a signal from NSY Niscemi recorded on 6383 KHz (3-bit pattern S-4481F) and another one from NAU Isabela 12120 KHz (plain S-4481F) by using the the modified quadrature amplitude detector of SA software: you can valuate the different results (Fig. 2).

Fig. 2
Even more interesting: all the signals from Niscemi show the extra harmonics EXCEPT the signal on 6942 KHz which is correctly modulated (Fig. 3) and coincidentally does not has the 3-bit pattern (Fig. 8).

Fig. 3
Then I selected the 50 Hz clock from the NSY signal and subsequently I demodulate it by using the synch'ed FSK demodulator: the test was successful and replicated the same results that I found using the theory and manipulating the bitstreams (Fig. 4). So, 50 bps seems to be the right working speed.

If our analysis is correct and we are right, it seems that they use the 75 bps STANAG-4481F waveform to send 50 bps streams (?!). We do not know the reason but probably you can  do this. In synchronous transmissions the DTE usually provides the transmit clock to the modem but perhaps they could use a modem - e.g. like the Harris RF-5710A - which can recover the clock automatically from the incoming transmit data (transmit clock set to "DATA" or in "recovery mode").

As proved, decoding those signals using standards modes, or changing the speeds to 50 bps, unfortunately does not work: the only successful way is to sync the FSK demodulator to the 50 Hz clock of the signals. Since we are talking about shore-to-ship broadcast, I wonder how the receive ships may manage these transmissions.

2) the source

(monitoring was carried out according to a list of frequencies from logs and in any case not 24/7)

a) Using remote KiwiSDRs, and with the help of my friend Mike "mco", I checked several S-4481F transmissions from AJE Barford St.John, NAU Isabela, NPG Dixon, NPM Lualualei, NPN Guam, NSY Niscemi, and NSS Davidsonville but - so far - only those from NSY and AJE exhibit the odd 3-bit pattern we are talking about. Despite many attempts, still not heard S-4481F transmissions from Totsuka and San Diego and I'm not aware of such transmissions from Diego Garcia (50Bd/850 only?) or any other station.
Below the current list of the successful frequencies:

5120.5 NSY
6383.0 NSY
7545.5 NSY
8145.0 NSY, AJE
8204.5 NSY

It's to notice that most of the times the NSY frequencies are logged as "NSY Sigonella": well, NAVCOMTELSTA (U.S. NAVAL COMPUTER AND TELECOMMUNICATIONS STATION) Sicily, located in Naval Air Station Sigonella, manages the Naval Radio Transmitter Facility Niscemi, housing LF/HF transmitters [1][2]. Same story about AJE Barford St.John that probably is sometimes reported as Croughton, nearby (6 miles distant) [3][4]. 

b) Interestingly, 8145 KHz is shared by NSY and AJE; often I have been able to see contemporary broadcasts and same contents (Figs 5,6). The modified AM detector shows the same results as the ones of Fig. 3

The modified AM detector shows the same results as the ones of Fig. 3:

Fig. 7

 c) According to the Tx sites (NSY in Italy and AJE in UK) this type of traffic is beamed only by some European stations. 

d) As said above, I also spotted a S-4481F transmission on 6942 KHz that DF points to southern Sicily, thus it's again NSY. However, this signal does not have the expected 3-bit structure although it's contemporaneous to another S-4481F transmission beamed from NSY on 6383 Khz (Figs 8,9). So, it seems that most of the 3-bit structured signals come from NSY,  but not all those coming from NSY have that feature. Still not heard S-4881F transmissions on the other NSY frequencies 10974 and 15018 KHz.



28 February 2020

Makhovik secured CIS PSK2/1200Bd

This post is an update and a correction to a previous post to which reference. I want to thank an anonymous reader who in his comment to that post suggested to use differential PSK2 decoding.
In that post I verified the use of Makhovik crypto system (T-230 bundle ciphering device for teleprinter and data connections) in CIS-12 transmissions as well as in CIS PSK2/1200Bd (CIS-1200) transmissions. One of Makhovik's features that can be considered as a signature, in addition to the characteristic 30-bit Message Indicators, is the use of 511-bit pseudo-random sequences generated by the primitive polynomial x^9+x^5+1. These sequences follow the ITU Recommendation O.153 [1] and are primarily intended for error measurements at bitrates up to 14400bps  and synchronization purposes (188-110B "39-tone parallel mode" too uses that pattern).
I searched just these 511-bit sequences in three different CIS-1200 recordings (files psk2_a, psk2_b, and psk2_c) and the search was successful in all the three files but I did not find the right sequences, and then the generator polynomial x^9+x^5+1, in the _a recording (Fig. 1).

Fig. 1
As said above, an anonymous reader suggested to use differential decoding for the _a file: well, I took his advice and results are interesting: as shown in Fig. 2, after the differential decoding the bitstream have the right 511-bit sequences generated by the polynomial x^9+x^5+1 !

Fig. 2 - psk2_a diff. decoded bitstream
This is a further indication in favor of the use of  Makovik encryption with the CIS-1200 waveform,  in these cases the modem T-230-1A (a single channel version of T-230) should have been used. 
As usual, further recordings are needed.

24 February 2020

3 x 7-bit KW-46 secured channels over STANAG-4481F, NRTF Niscemi

(cryptomaster, I56578, KarapuZ)

This post may be considered as a continuation of an interesting analysis started by my friends cryptomaster and  KarapuZ, see the radioscanner post for background. The signals analyzed by my friends and me consist of STANAG-4481F waveform (also known as NATO-75, FSK 75Bd/850) and  have been spotted on 8202.5 KHz/usb (tuning frequency, CF = +2000 Hz): in our opinion they seem to be (off line) fleet broadcasts of 3 x 7-bit multiplexed encrypted channels.
I want to thank my friend AngazU and the owner of the KiwiSDR in Alicante (Spain) who allowed me to use his device w/out time limits in order to monitor these transmissions.

The interesting aspect is the 3-bit structure which is visible in SA raster (Fig. 1) by using, for example, a time window of 200ms (=15 bits @75bps); notice that it does not occur in time windows that implie a number of bits which is not an integer multiple of 3.

Fig. 1 - 3-bit structure in a 200ms raster window
Following this results, the demodulated stream has been reshaped into a 3-bit framing (Fig. 2): it is easy to see that two columns have the same content.

Fig. 2 - 3-bit framing of the demodulated stream
Then, each column in turn has been reshaped in a 7-bit pattern in order to obtain 3 separate files corresponding to the three channels. Karapuz noted that the Fibonacci's bit sequence (generated by the polynomial x^31 + x^3 + 1) is present in each channel (Fig. 3): this is the main indication that the source data was encrypted using the KW-46/KIV-7 cryptographic device, according to STANAG -5065.

Fig. 3 - the KW-46 M-sequences in the 3 channels conveyed by a single S-4481F trasnmission
The presence of three distinct channels suggests that a time division multiplexer (TDM) be used upstream of the S-4481F modem, but there is a problem with the speeds at stake. The used TDM must have a 75bps "aggregate" speed in order to meet the S-4481F waveform requirements, thus each (encrypted!) input channel should have a speed of 25bps... but crypto devices such as KG-46 or KIV-7 do not work at speeds lower than 50 bps! (Fig. 4).

Fig. 4
So, it seems that a kind of "rate change" occurs between TDM and S-4481F modem but a such kind of store-and-forward device to down the speed  appears unrealistic in case of long broadcasts.

During my monitoring I had the luck to catch the beginning of a transmission. Interestingly, the M-sequences generated by the polynomial x^31 + x^3 + 1 just start from the very first bit of the 3 demodulated streams (100% indication in Fig. 5), there are no signatures or magic numbers attributable to transfer protocols or to file formats, neither preambles or synch sequences.

Fig. 5
According to TDoA direction finding tries, the transmitter site is the Naval Radio Transmitter Facility (NRTF) in Niscemi, Italy (Fig. 6): an infrastructure of the NATO communication system that is linked with other US military bases [1]. It's to notice that similar transmissions (3-bit structure S-4481F) can be heard on 7545.5 and 6383 KHz (CF), also them from NRTF Niscemi!

Fig. 6 - TDoA result
As I said, two channels have the same content, as indeed shown in the raster (Fig. 1): it's to notice that such repetitions of encrypted channels were also noted in some KW-46/KIV-7M secured fleet broadcast of the Australian Ny, see the blog post. In that case we have an aggregate speed of 600bps and 12 multiplexed channels, i.e. 50bps speed per channel.

I checked sveral other S-4481F transmissions but so far these odd 3-bit structure is present only in the ones coming from Niscemi: help and comments from readers are very apreciated and welcome.

High Frequency dual mode antennas at NRTF Niscemi (source Wikipedia)
24 Feb update
As expected, parallel transmissions on 8204.5 KHz and 6383 KHz convey the same content (Fig. 7); the third frequency (7545.5 KHz) is not used at this time. 

Fig. 7 - same contents on parallel transmissions

  (to be continued)
[1] https://www.globalsecurity.org/military/facility/niscemi.htm 

12 February 2020

Interesting MS-110D App.D (WBHF) traffic

Interesting traffic heard on 5750 KHz/USB and picked up thanks to the UK KiwiSDR owned by G8JNJ.
Most of the signals are definitely "110C Appendix D" 3 KHz BW waveform (WID 1 or 2, BPSK). The synchronization preamble has a framing of ~240ms length that makes 576 symbols @2400Bd speed (Fig. 1). From 188-110C App.D documentation, the orthogonal Walsh modulation is used in the synchronization section of the preamble and the length of the repeated super-frame is 18 channel-symbols, ie: 9 (fixed) + 4 (downcount) + 5 (waveform identification). Since in 3 KHz bandwidth waveforms the preamble channel-symbols are 32 symbol long, the length of each repeated superframe is: 18 (channel-symbols) x 32 (length of one channel-symbol) that just matches the measured 576 symbols length.
Data section has 40ms length frames (Fig. 2) i.e. each frame consists of 96 symbols: 48 unknown data + 48 known data (mini-probe). This framing meet the waveform IDs 1 and 2 of the 3KHz bandwidth set (BPSK modulated data).

Fig. 1 - Synchronization preamble superframes
Fig.2 - data section frames
Anyway, FLSU BW5 bursts and unid 2400Bd bursts are the most interesting aspects in this catch.
In my opinion the presence of (repeated) 3G-HF Fast Link SetUp (FLSU) BW5 bursts is rather strange also because the link seems to be terminated with a 188-141A 2G-ALE "TWS" sequence: a kind of "fall back" for 2G-ALE? Perhaps we're dealing with a STANAG-4538 "circuit-mode" service and I did not hear the BW5 PDUs sent by the other side of  the link, or perhaps BW5 PDUs are just used to signal the following traffic waveform.
The other 2400Bd bursts (Fig. 3) have a fixed duration of ~2840ms: unfortunately the poor SNR of the signals does not allow to get other significant parameters from their analysis.

Fig. 3
As said, the link was terminated using 2G-ALE: the TWS message was sent by the ALE callsign "AC7", It's to be noticed that during the monitoring period other ALE soundings from calls "AC7" and "AC9"  have been heard. According to recent UDXF logs, these calls refer to a unid Jordan network, although it sounds weird to me that they use WBHF technology. Maybe some WBHF trials... but it's just a guess.